In brief: I want users to come from one of our ~500 distinct application instances into a Discourse instance and be automatically authenticated.
We have a mixture of on-premise and cloud-hosted instances of our app. I’m keen on setting up a Discourse forum so that all users of our software can jump in and discuss things, and, to lower the barrier to entry and reduce friction, I want them to be able to do so without having to set up an account or reauthenticate.
I know that I can set up SSO for Discourse, but, understandably, there can only be one endpoint for this per Discourse instance. As we have around 500 instances of our software running – each with its own URL, and its own internal authentication, what I need is some way of passing through a trusted authentication token to Discourse such that the user is automatically authenticated. My thinking is that we’d have a key installed on all of our application servers which is used to sign the request, and Discourse will then trust this.
My understanding is that this would introduce a security issue, in that if someone were to obtain this key, they could then log in as any user in the Discourse instance. I’m not sure if there’s a way around this.
Is there a best-practice for this? Has anyone else done something similar? If so, how did you solve it?